GREYCORTEX PROTECTS AGAINST WANNACRY

GREYCORTEX is happy to report that MENDEL, our network traffic analysis solution, affirmatively detects infection by the WannaCry ransomware, its possible variants/clones, and protects users more effectively than rule-based detection tools alone.
Because GREYCORTEX MENDEL uses advanced artificial intelligence, machine learning, and data analysis to identify network anomalies, it easily identifies threats like WannaCry, allowing network security teams to take rapid action and stop threats before they do damage.
In the case of WannaCry, GREYCORTEX tested the ransomware in our malware lab. It was found to engage in aggressive and anomalous practices, like port-scanning behavior on an SMB port (445), attempting to connect to over 4000 devices in 175 countries across the Internet in five minutes, and downloading TOR network software. All of these behaviors were identified by MENDEL’s advanced network behavior analysis.
MENDEL users are better protected from malware like WannaCry and its variants/clones than users of firewall, IDS, or other rule-based security solutions alone. Rule-based security solutions require a known malware signature in order to create a rule. This means an attack must happen before the signature of the attack can be added as a rule. MENDEL doesn’t need a signature to identify the attack. It’s network behavior analysis features detect the attack’s symptoms before it harms the network. This means security teams have the peace of mind to know that should an attack happen, they will see it, and be able to stop it before it does damage.
If you are concerned about malware attacks, either from WannaCry or from other ransomware or malware, you may benefit from a 30 day Proof of Concept (PoC) from GREYCORTEX. During the PoC, MENDEL automatically learns your network to identify threats which may exist, including ransomware which is lying dormant in your network, or unpatched applications, which may leave you vulnerable. Do not hesitate to contact your network security professional, or GREYCORTEX  directly to arrange a PoC.

“ Petya”勒索軟件:我們現在所知道的

 

LAST UPDATED 3:10 p.m. PDT: 

A massive new ransomware attack that started in Ukraine is spreading across Europe and the United States, according to Reuters and multiple other sources. Prominent companies that have been affected are the Danish shipping company Maersk and the British advertising company WPP.

The ransomware appears to be related to the Petya family, which is currently detected by ESET as Win32/Diskcoder.C Trojan. 

ESET users can find instructions to ensure the highest level of protection against this threat here. In addition, here is an advisory for ESET customers about the new malware. ESET protects against this threat, provided you have a default install of any modern ESET product. Additionally, any ESET product with network detection protects against the SMB spreading mechanism, EternalBlue, proactively.

The scale of the attack is being compared to the recent WannaCry outbreak. ESET protects both businesses and home users against WannaCry. 


ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world. M.E.Doc has today released a warning on their website: http://www.me-doc.com.ua/vnimaniyu-polzovateley.

How does Petya work?

The Petya malware attacks a computer’s MBR (master boot record), a key part of the startup system that contains information about the hard disk partitions and helps load the operating system. If the malware successfully infects the MBR, it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.


The new malware appears to be using a combination of the EternalBlue exploit used by WannaCryptor for getting inside the network, then spreading through PsExec for spreading within it.

To check if your Windows operating system is patched against it, use ESET’s free EternalBlue Vulnerability Checker.


This powerful combination is likely the reason why the outbreak is spreading quickly, even after previous outbreaks have generated headlines and most vulnerabilities should have been patched. It only takes one unpatched computer to get inside the network. From there, the malware can take over administrator rights and spread to other computers.

Petya and crypto-ransomware

In Ukraine, the financial sector, energy sector and numerous other industries have been hit. The scope of the damage caused to the energy sector is not yet confirmed, and there has been no reports of a power outage, as was the case previously with the infamous Industroyer malware that was discovered by ESET.


An image that reportedly shows the ransomware message is making the rounds online, including one from Group-IB with the following message (which we’ve paraphrased):

“If you see this text, then your files are no longer accessible, because they have been encrypted … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment [$300 bitcoins] and purchase the decryption key.”

 

How to protect yourself

新型WannaCryptor式勒索軟件攻擊在全球範圍內流行:您需要了解的所有信息

Update Jun 27 – 23.34 CEST: Shutting down the computer and not booting again could prevent the disk encryption, though several files can be already encrypted after the MBR is replaced and further infection through the network is attempted.

Update Jun 27 – 22.28 CEST: Paying is no longer possible as the email to send the Bitcoin wallet ID and “personal installation key” has been shut down by the provider. Thus, people shouldn’t  pay for the ransom as they will not be able to receive the decryption key.

Update Jun 27 – 21.20 CEST: ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world. M.E.Doc has today released a warning on their website: http://www.me-doc.com.ua/vnimaniyu-polzovateley

Numerous reports are coming out on social media about a new ransomware attack in Ukraine, which could be related to the Petya family, which is currently detected by ESET as Win32/Diskcoder.C Trojan. If it successfully infects the MBR, it will encrypt the whole drive itself. Otherwise, it encrypts all files, like Mischa.

For spreading, it appears to be using a combination of the SMB exploit (EternalBlue) used by WannaCryptor for getting inside the network, then spreading through PsExec for spreading within the network.

This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched. It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.

The journalist Christian Borys, for example, tweeted that the cyberattack has “allegedly hit” banks, power grid and postal companies, among others. Moreover, it appears that the government has also come under attack. Borys has also tweeted an image put up on Facebook by Ukraine’s deputy prime minister, Pavlo Rozenko, which shows a computer apparently being encrypted.

The National Bank of Ukraine has also put out a message on its website warning other banks of the ransomware attack.

It stated: “Currently, the financial sector strengthened security measures and counter hacker attacks all financial market participants.”

Forbes said that while there appear to be similarities with WannaCryptor – with others describing it as WannaCry-esque – it is likely to be a variant of Petya.

An image, similar to the one witnessed by WannaCryptor victims, reportedly showing the ransomware message is making the rounds online, with one from Group-IB showing the following message (paraphrased):

“If you see this text, then your files are no longer accessible, because they have been encrypted … We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment [$300 bitcoins] and purchase the decryption key.”

However, a spokesman said that “there is no effect on power supplies”, although it may be too early to ascertain this.

It appears that the ransomware attack is not specific to Ukraine. The Independent said that Spain and India may also have been affected, as well as the Danish shipping company Maersk and the British advertising company WPP.

On the latter’s homepage, the following message reads: “The WPP web site is currently unavailable due to important routine maintenance normal service will resume shortly.

“We apologise for any inconvenience this may cause. In the meantime if you would like to contact WPP, please email the site Editor at the following address …”

WPP has since confirmed on Twitter that it has been the victim of an attack: “IT systems in several WPP companies have been affected by a suspected cyberattack. We are taking appropriate measures & will update asap.”

There are also reports that payments are being made in response to the attack, at the BTC address linked here.

For more on Petya, check out this insightful piece from 2016, which notes of the crypto-ransomware:

Petya took an approach different from that of other crypto-ransomware. Instead of encrypting files individually, it aimed at the file system.

“The target is the victim’s master boot record (MBR), which is responsible for loading the operating system right after system boot.”

In order to prevent this kind of threat, we recommend that you always have your systems fully patched, that you use a proper security solution and that you set up network segmentation, which might help prevent spreading within the network.

This is currently a breaking story. Further updates to come.

Petya病毒變種捲土重來!!!ESET防毒軟體已偵測並更新

ESET偵測到的“Petya”Ransomware,於2017年6月27日最近更新為PDT:3:10

根據路透社和多個其他消息來源,在烏克蘭開始的大規模新型加密病毒正在攻擊歐洲和美國並蔓延到其他國家。 一開始受到影響的是丹麥航運公司-馬士基和英國廣告公司-WPP。

這個加密病毒似乎與Petya家族有關,目前ESET已經將其檢測出病毒攻擊行為並歸類為Win32/Diskcoder.C Trojan。

如果您安裝了ESET產品,ESET可防範此威脅。此外,任何具有網路防護功能的ESET Security系列產品均可主動防範由SMB擴散的可能性。Petya攻擊的規模正在與最近的WannaCry爆發模式相當類似。ESET的研究人員已經掌握了這一個全球性流行的加密病毒的攻擊行為。Petya成功地破壞了在烏克蘭各行業,包括金融機構受歡迎的會計軟件M.E.Doc。有幾個人執行了常見特洛伊木馬病毒攻擊行為的偽造檔案,目前造成歐美目前爆發橫跨全國和全世界的大規模的病毒攻擊。 

【Petya攻擊行為模式】

Petya惡意軟體攻擊電腦的MBR(主引導記錄),而MBP主要的功能是啟動系統的關鍵部分包含有關硬碟啟動磁區的資料,並有助於啟動操作系統。 

如果Petya成功感染MBR,它將對整個硬碟本身進行加密。 如果沒有它也會嘗試加密電腦內所有文件檔案,如同:Mischa。

Petya似乎跟WannaCryptor使用同樣的EternalBlue漏洞進行網路連接,然後透過PsExec進行攻擊。

*請使用ESET的免費EternalBlue漏洞檢測工具檢查您的Windows系統是否已更新 

這種強大的攻擊模式可能是疫情迅速蔓延的原因,即使以前的疫情已經成為大家皆知頭條新聞,並且大多數漏洞應該已經被修補。 但是它只需要入侵一個未更新的電腦並進入網路就能開始散播。 惡意程式可以取得系統管理員權限並傳播到其他台電腦。

在烏克蘭,金融業,能源部門等多個行業受到攻擊。 對能源部門造成的損害範圍尚未得到確認,幸好目前沒有發生停電的情況,就像以前與ESET發現的臭名昭著的Industroyer惡意程式一樣。據報告顯示被Petya ransomware攻擊成功的電腦,會顯示跟Group-IB同樣訊息,其中包含以下翻譯內容:

“如果您看到這個訊息,那麼您的文件檔案不再可以讀寫,因為它們已被加密…我們保證您可以安全輕鬆地恢復所有文件檔案。 

您只需要做的就是付款$ 300比特幣購買解密密鑰。

ESET資安專家建議五點:

1.使用專業且信譽良好的防毒軟體(ESET NOD32)並保持更新。(很基本但是非常重要,雖然作業系統本身具有內建防火牆功能,並不意味著它不需要防毒軟體 )

2.確認您已經安裝所有最新的Windows更新和修補程序。

3.執行ESET的EternalBlue漏洞檢查工具,查看您的Windows電腦是否已經針對EternalBlue漏洞進行更新,並在必要時進行更新。

4.ESET家庭用戶:注意病毒碼是否更新到最新日期。

5.ESET企業用戶:可以手動對所有用戶端電腦發送病毒碼更新工作或在用戶端電腦防毒軟體進行病毒碼更新。

#欲知更多產品訊息:

企業用戶:https://www.eset.tw/business/endpoint-security/

個人用戶:https://www.eset.tw/home/

#欲購買產品:https://www.eset.tw/estore/zh/

或電洽ESET資安專業服務團隊:(02)7722-6899

加入電子報,可獲得最新資安防禦訊息:https://www.eset.tw/e-news/subscribe/

*ESET檢測工具:

ESET releases “EternalBlue Vulnerability Checker” to help combat WannaCry ransomware

https://www.eset.com/us/about/newsroom/press-releases/eset-releases-eternalblue-vulnerability-checker-to-help-combat-wannacry-ransomware/

原文出處:https://www.eset.com/us/about/newsroom/corporate-blog/petya-ransomware-what-we-know-now/